Dell Compellent Bug Leaves VMWare Environments Vulnerable to Attacks

August 10, 2023

Dell Compellent, a storage array service, has a significant vulnerability due to hardcoded credentials that could allow attackers to seize control of enterprise VMware environments. Although Dell Compellent was discontinued in 2019 and currently accounts for less than 1% of the data storage market according to Enlyft, organizations that still use it in combination with VMware environments should be aware of this high-impact vulnerability, designated as CVE-2023-39250.

Tom Pohl, a penetration testing team manager at LMG Security, will demonstrate at DEF CON 31 how an attacker within an enterprise network can identify and decode a private key associated with VMware's centralized management utility through Dell Compellent, thereby enabling a full takeover of a VMware environment. Furthermore, because the key is identical for every Dell customer, a breach at one organization could easily lead to a breach at any other. Pohl stated, 'This is just a real concrete example of how a private key in software can lead to complete network compromise of your organization.'

When Dell integrates the two services, it requires administrator credentials for VMware vCenter, the platform used for managing VMware environments. However, the Dell software stores these credentials in its configuration files, a fact that Pohl stumbled upon while working with a client's network. He noticed a username and password in the device and, although the credentials were not stored in plain text, Pohl was able to decompile the Java class he suspected was responsible for decryption, quickly finding an AES static key stored in the source code. After a bit of reverse engineering, he was able to extract a clear text password. Using this username and password obtained from the Dell Compellent software, he was able to log into vCenter and take control of the entire environment.

Pohl emphasized in a press release, 'This key is the same for EVERY customer! If a criminal leverages this vulnerability, they could use it against any of Dell's customers.' Despite exceeding the 90-day responsible disclosure window, LMG Security anticipates Dell will only release a patch sometime in the fall. The delay might be attributed to the complexity of creating an adequate fix or possibly due to Compellent's end-of-life status. In the interim, Pohl advises organizations still using these systems to 'definitely harden their environments.' He also suggests segmenting the network to prevent malicious users from accessing critical infrastructure.

Latest News

• Worldwide Industrial PLCs Vulnerable Due to CODESYS V3 RCE Flaws
• CISA Uncovers 'Whirlpool' Backdoor in Barracuda ESG Attacks
• CISA Highlights Exploited Flaw in .NET and Visual Studio
• New Side-Channel Attacks Impacting Modern CPUs: Collide+Power, Downfall, and Inception
• Microsoft Office Defense-In-Depth Update Thwarts Actively Exploited RCE Attack Chain